12/30/2010 @ 5:40PM

Genome Hackers

It is becoming surprisingly easy for someone to test your DNA without permission. Every drop of saliva you leave on a Styrofoam coffee cup or hair follicle that falls to the floor contains DNA that in theory can be tested for everything from ancestry to disease risk. In 2009 New Scientist writer Michael Reilly “hacked” a colleague’s genome using samples from a water glass. He found labs willing to extract DNA from the glass and amplify it, producing enough DNA to send off to a direct-to-consumer genetic testing company. Within weeks Reilly had results predicting his colleague was at risk for baldness, psoriasis and glaucoma.

Amazingly, there is no federal law against surreptitious DNA testing. There is also little regulation of what consumer genetics companies such as 23andMe and Pathway Genomics can and can’t do with their data. All this frightens lawyer and privacy crusader Jeremy Gruber, who heads the nonprofit Council for Responsible Genetics in New York. While people can replace a stolen credit card, “you simply cannot get a new genome,” he says. “We’re only at the beginning of discovering the risks to genetic privacy.”

Gruber, 39, has been pushing for tougher genetic privacy laws since he was a young ACLU lawyer in the 1990s. He was assigned to work on a case against Burlington Northern Santa Fe involving 36 employees with carpal tunnel syndrome who filed workers’ compensation claims. The railroad company made them submit blood samples before resolving the claims. Unbeknownst to them, it planned to test the samples to try to find a genetic predisposition to the syndrome. The company, without admitting fault, paid $2.2 million in 2002 to settle lawsuits saying it violated the Americans with Disabilities Act.

The case helped lead to a 2008 law, the Genetic Information Nondiscrimination Act, which prohibits HMOs from raising rates and employers from discriminating against workers on the basis of their genetic profiles. But the law says little about other spheres, such as what consumer genetics companies may do with all the data they collect. Contracts allowing companies to share your DNA data with researchers and other third parties are too broad, Gruber says, and don’t provide enough specifics. (23andMe says it never shares data without people’s consent; Pathway has a similar policy.) In an investigation of genetic testing companies this summer the General Accounting Office had a female caller ask whether she could send in her fiancé’s DNA and “surprise” him with the results. One company’s representative was enthusiastic, despite the firm’s policy against this.

As gene tests become common, possibilities for abuse will intensify. Banks might not offer you a mortgage if you were likely to die before it was paid off. A pregnant women might secretly get DNA from her lovers so she knows who the father is. Someone might check out a potential mate for genetic flaws. Politicians might dig up dirt on their rivals. Another question: How far should law enforcement be allowed to go? Should prosecutors be allowed to subpoena a company’s DNA database of thousands of people if they suspect it contains a match to a crime suspect?

Gruber’s advocacy often pits him against scientists who want broad access to DNA samples to come up with disease cures. Researchers were devastated this year when a court ordered destruction of a Texas biobank with millions of newborns’ blood samples because hospitals had failed to get parental consent to collect them. Gruber is all for research but says that it is too easy for the data to get into the wrong hands. DNA you leave behind “is different from garbage. It has serious information about you and your family.”